Technical Panel: Threat-Based Cyber Risk Assessment
(Room 317)
24 Oct 17
2:00 PM
-
4:00 PM
Tracks:
Continuing Education, Unclassified Technical Panels
Speaker(s):
Dr. John D. Choi, Program Analyst, OUSD(AT&L)/DASD(C3CB); Scott G. Casper, Group Supervisor, Missions Systems, Cyber Operations Branch, Johns Hopkins University Applied Physics Laboratory; Patrick T. Arvidson, Special Assistant, Office of the National Manager for Information Assurance/Computer Security for National Security Systems; Don Davidson, Acting Director, Cybersecurity Risk Management, Office of the Deputy Department of Defense Chief Information Officer for Cybersecurity
Government and industry have used multiple guidelines and standards over the years to assess the adequacy of information system security architectures and implementations. The majority of these approaches dictate a set of controls to be implemented, based upon an assessment of the risk to confidentiality, integrity, or availability of data and services. One shortcoming of these approaches is that they do not explicitly consider the potential or likely attack vectors and threat tactics to which the specific information system has been or may be subjected. They also are not able to prioritize which additional controls will have the most impact in reducing risk. Threat-based cyber risk assessments analyze the security capabilities of information systems in the context of the tactics and procedures that attackers may use against them. There are several advantages to these approaches. Each provides a measurement of residual risk to the information system for a given set of controls. The approaches are also able to prioritize implementation of additional controls to maximize risk reduction. For platform IT and weapons systems, the threat-based approaches are able to assess the risk to missions from cyber attack. Threat-based cyber risk assessments are rapidly becoming relevant within the Department of Defense. The National Defense Authorization Act (NDAA) for Fiscal Year 2016, Section 1647, requires the Secretary of Defense to “complete an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense by not later than December 31, 2019.” A standardized approach, or at least a common representation of the analysis result, will facilitate understanding of the assessments and aid in prioritizing cyber security investments to reduce risk. Several of the approaches currently in development are migrating to a common threat framework to describe the attacker’s potential tactics and procedures. The threat framework is organized by the attacker objectives at successive stages of an attack, identifying the potential tactics to implement each stage. Although there are some common features of these threat-based risk assessment approaches, there are also significant differences. Approaches may be either mission-aware, measuring the mission impact of cyber threats, or support assessment of multi-mission enterprise systems. Some approaches explicitly evaluate attack paths, while others do not. Financial cost is also considered in some approaches to help prioritize investments in security controls. The panelists in this session will discuss three emerging threat-based cyber risk assessment approaches and their application in different contexts, including both enterprise and platform IT systems. The panel will discuss the pros and cons of each approach, and the opportunities to standardize aspects of the assessment methodologies, including the threat framework. The panel will include methodology developers and representatives of organizations interested in applying those methodologies. (Note: Panelist from DMDC will provide the end user organization perspective. Other panelists will present diverse approaches to the risk assessment problem, including some input from the end user organization and NDAA 1647 perspectives.)